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Abstract — We establish a construction of optimal authentica- 
tion codes achieving perfect multi-fold secrecy by means of com- 
binatorial designs. This continues the author's work (ISIT 2009, 
cf. [1]) and answers an open question posed therein. As an 
application, we present the first infinite class of optimal codes 
that provide two-fold security against spoofing attacks and at the 
same time perfect two-fold secrecy. 

I. Introduction 

Authentication and secrecy are two crucial concepts in 
cryptography and information security. Although independent 
in their nature, various scenarios require that both aspects 
hold simultaneously. For information-theoretic or uncondi- 
tional security (i.e. robustness against an attacker that has 
unlimited computational resources), authentication and secrecy 
codes have been investigated for quite some time. The initial 
construction of authentication codes goes back to Gilbert, 
Mac Williams & Sloane [2], A more general and systematic 
theory of authentication was developed by Simmons (e.g., [3], 
[4]). Fundamental work on secrecy codes started with Shan- 
non [5], 

This paper deals with the construction of optimal authen- 
tication codes with perfect multi-fold secrecy. It continues 
the author's recent work [1], which naturally extended results 
by Stinson [6] on authentication codes with perfect secrecy. 
We will answer an important question left open in [1] that 
addresses the construction of authentication codes with perfect 
multi-fold secrecy for equiprobable source probability distri- 
butions. We establish a construction of optimal authentication 
codes which are multi-fold secure against spoofing attacks 
and simultaneously provide perfect multi-fold secrecy. This 
can be achieved by means of combinatorial designs. As an 
application, we present the first infinite class of optimal codes 
that achieve two-fold security against spoofing as well as 
perfect two-fold secrecy. 

The paper is organized as follows: Necessary definitions 
and concepts from the theory of authentication and secrecy 
codes as well as from combinatorial design theory will be 
summarized in Section II. Section III gives relevant combina- 
torial constructions of optimal authentication codes which bear 
no secrecy assumptions. In Section IV, we review Stinson's 
constructions in [6] and recent results from [1]. Section V is 
devoted to our new constructions. 



II. Preliminaries 
A. Authentication and Secrecy Codes 

We rely on the information-theoretical or unconditional se- 
crecy model developed by Shannon [5], and by Simmons 
(e.g., [3], [4]) including authentication. Our notion complies, 
for the most part, with that of [6], [7]. In this model of 
authentication and secrecy three participants are involved: 
a transmitter, a receiver, and an opponent. The transmitter 
wants to communicate information to the receiver via a public 
communications channel. The receiver in return would like 
to be confident that any received information actually came 
from the transmitter and not from some opponent {integrity of 
information). The transmitter and the receiver are assumed to 
trust each other. Sometimes this is also called an A-code. 

In what follows, let S denote a set of k source states (or 
plaintexts), M a set of v messages (or ciphertexts), and £ 
a set of b encoding rules (or keys). Using an encoding rule 
e £ £, the transmitter encrypts a source state s £ S to 
obtain the message m — e(s) to be sent over the channel. 
The encoding rule is an injective function from S to Ai, and 
is communicated to the receiver via a secure channel prior to 
any messages being sent. For a given encoding rule e £ £, let 
M(e) := {e(s) : s £ S} denote the set of valid messages. For 
an encoding rule e and a set M* C M(e) of distinct messages, 
we define f e {M*) := {s £ S : e(s) £ M*}, i.e., the set of 
source states that will be encoded under encoding rule e by 
a message in M*. A received message m will be accepted 
by the receiver as being authentic if and only if m £ M(e). 
When this is fulfilled, the receiver decrypts the message m by 
applying the decoding rule e _1 , where 

e _1 (m) = s <^> e(s) = m. 

An authentication code can be represented algebraically by a 
(b x k)-encoding matrix with the rows indexed by the encoding 
rules, the columns indexed by the source states, and the entries 
defined by a es :— e(s) (1 < e < b, 1 < s < k). 

We address the scenario of a spoofing attack of order i 
(cf. [7]): Suppose that an opponent observes i > distinct 
messages, which are sent through the public channel using the 
same encoding rule. The opponent then inserts a new message 
ml (being distinct from the i messages already sent), hoping to 
have it accepted by the receiver as authentic. The cases i = 



and i = 1 are called impersonation game and substitution 
game, respectively. These cases have been studied in detail 
in recent years (e.g., [8], [9]), however less is known for the 
cases i > 2. In this article, we focus on those cases where 
i > 2. 

For any i, we assume that there is some probability dis- 
tribution on the set of i-subsets of source states, so that any 
set of i source states has a non-zero probability of occurring. 
For simplification, we ignore the order in which the i source 
states occur, and assume that no source state occurs more 
than once. Given this probability distribution ps on S, the 
receiver and transmitter choose a probability distribution pe 
on £ (called encoding strategy) with associated independent 
random variables S and E, respectively. These distributions 
are known to all participants and induce a third distribution, 
Pm, on M. with associated random variable M. The deception 
probability P^ is the probability that the opponent can deceive 
the receiver with a spoofing attack of order i. The following 
theorem (cf. [7]) provides combinatorial lower bounds. 

Theorem 1: [Massey] In an authentication code with k 
source states and v messages, the deception probabilities are 
bounded below by 



PrL > 



k 



An authentication code is called tA-fold secure against 
spoofing if = [k — i)/{v — i) for all < i < tA- 

Moreover, we consider the concept of perfect multi-fold 
secrecy which has been introduced by Stinson [6] and general- 
izes Shannon's fundamental idea of perfect (one-fold) secrecy 
(cf. [5]). We say that an authentication code has perfect tg- 
fold secrecy if, for every positive integer t* < t$, for every 
set M * of t* messages observed in the channel, and for every 
set S* of t* source states, we have 

Ps(S*\M*)= Ps (S*). 

That is, the a posteriori probability distribution on the t* 
source states, given that a set of t* messages is observed, 
is identical to the a priori probability distribution on the t* 
source states. 

When clear from the context, we often only write t instead 
of tA resp. ts- 

B. Combinatorial Designs 

We recall the definition of a combinatorial i-design. For 
positive integers t < k < v and A, a t-(v, k, A) design T> 
is a pair (X, £>), satisfying the following properties: 

(i) X is a set of v elements, called points, 

(ii) B is a family of fc-subsets of X, called blocks, 

(iii) every i-subset of X is contained in exactly A blocks. 

We denote points by lower-case and blocks by upper-case 
Latin letters. Via convention, let b := \B\ denote the number 
of blocks. Throughout this article, 'repeated blocks' are not 
allowed, that is, the same fc-subset of points may not occur 
twice as a block. If t < k < v holds, then we speak of a 
non-trivial t-design. For historical reasons, a t-(v, k, A) design 



with A = 1 is called a Steiner t-design (sometimes also a 
Steiner system). The special case of a Steiner design with 
parameters t = 2 and k — 3 is called a Steiner triple system 
STS(v) of order v. A Steiner design with parameters t — 3 and 
k = 4 is called a Steiner quadruple system SQS(v) of order v. 
Specifically, we are interested in Steiner quadruple systems in 
this paper. As a simple example, the vector space (d > 3) 
with the set B of blocks taken to be the set of all subsets of 
four distinct elements of If^ whose vector sum is zero, is a 
non-trivial boolean Steiner quadruple system SQS(2 d ). More 
geometrically, these SQS(2 d ) consist of the points and planes 
of the d-dimensional binary affine space AG(d, 2). 





Fig. 1. Illustration of the unique SQS(8), with three types of blocks: 
faces, opposite edges, and inscribed regular tetrahedra. 

For the existence of i-designs, basic necessary conditions 
can be obtained via elementary counting arguments (see, for 
instance, [10]): 

Lemma 1: Let V = (X, B) be a t-(v, k, A) design, and for 
a positive integer s < t, let S C X with \S\ = s. Then the 
number of blocks containing each element of S is given by 



A„ = A 



(£) 



In particular, for t > 2, a t-(v, k, A) design is also an 
s-(v, k, A s ) design. 

It is customary to set r := \\ denoting the number of blocks 
containing a given point. It follows 

Lemma 2: Let V = (X,B) be a t-(v,k, A) design. Then 
the following holds: 
(a) bk = vr. 



(b) 



A = b 



(c) r(k - 1) = X 2 (v - 1) for t > 2. 

For encyclopedic accounts of key results in design theory, 
we refer to [10], [11]. Various connections of designs with 
coding and information theory can be found in a recent 
survey [12] (with many additional references therein). 

III. Optimal Authentication Codes 

For our further purposes, we summarize the state-of-the-art 
for authentication codes which bear no secrecy assumptions. 
The following theorem (cf. [7], [13]) gives a combinatorial 
lower bound on the number of encoding rules. 

Theorem 2: [Massey-Schobi] If an authentication code is 
(t — l)-fold against spoofing, then the number of encoding 
rules is bounded below by 



b> 



TABLE I 

Optimal authentication codes with perfect secrecy: 
Infinite classes 



TABLE II 

Optimal authentication codes with perfect secrecy: 
Further examples 



q prime power 



q-1 

d > 2 even 



v(v-l) 

k(k-l) 



V = 1 (mod 6) 



u = 1 (mod 12) 



■u(i; — 1) 

, 6 
U (f — 1) 



v = l (mod 20) 



■u(i; — 1) 

_20_ 



5 + 1 
g prime power 



d > 2 even 



— l)(n-2) 
fc(fc-l)(fc-2) 



U 3 2, 10 (mod 24) 



i;(u-l)(n-2) 
24 



Ref. 



[6] 



[11 



[1] 



An authentication code is called optimal if the number of 
encoding rules meets the lower bound with equality. When the 
source states are known to be independent and equiprobable, 
optimal authentication codes which are (t — l)-fold secure 
against spoofing can be constructed via i-designs (cf. [6], [13], 
[14]). 

Theorem 3: [DeSoete-Schobi-Stinson] Suppose there is a 
t-(v, k, A) design. Then there is an authentication code for k 
equiprobable source states, having v messages and A • (?) /(J) 
encoding rules, that is (t — l)-fold secure against spoofing. 
Conversely, if there is an authentication code for k equiprob- 
able source states, having v messages and (")/(*) encoding 
rules, that is (t — l)-fold secure against spoofing, then there 
is a Steiner t-(v, k, 1) design. 

IV. Stinson's Constructions & Recent Results 

Using the notation introduced in Section II-A, we review 
in Tables I and II previous constructions from [6], [1] for 
equiprobable source probability distributions. This lists all 
presently known optimal authentication codes with perfect 
secrecy. 

V. New Constructions 

Starting from the condition of perfect i-fold secrecy, we 
obtain via Bayes' Theorem that 

Pm(M*\S*) Ps (S*) 



Ps(S*\M*) 



Pm(M*) 

T,{eES:S*=f e (M*)}PE(e)Ps(S*) 



Ps(S* 



T,{ee£:M*CM(e)}PE(e)Ps(fe(M*)) 

It follows 

Lemma 3: An authentication code has perfect i-fold secrecy 
if and only if, for every positive integer t* < t, for every set 
M* of t* messages observed in the channel and for every set 
S* of t* source states, we have 



{e££:S'=f c (M')} 



PE(e) 



E 

{ee£:M*CM(e)} 



p E (e)ps(fe(M*)). 



Hence, if the encoding rules in a code are used with equal 
probability, then for every t* < t, a given set of t* messages 
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[1] 






5 


243 


28.344.492 


[1] 






6 


12 


132 


[1] 


4 


1 


6 


84 


5.145.336 


[1] 






6 


244 


1.152.676.008 


[1] 



occurs with the same frequency in each t* columns of the 
encoding matrix. 

We can now establish an extension of the main theorem 
in [1]. Our construction yields optimal authentication codes 
which are multi-fold secure against spoofing and provide 
perfect multi-fold secrecy. 

Theorem 4: Suppose there is a Steiner t-(v, k, 1) design, 
where ("J divides the number of blocks b for every positive 
integer t* < t — 1. Then there is an optimal authentication 
code for k equiprobable source states, having v messages 
and (") / m encoding rules, that is (t — l)-fold secure against 
spoofing and simultaneously provides perfect (t — l)-fold se- 
crecy. 

Proof: Let V = (X, B) be a Steiner t-(v, k, 1) design, 
where divides b for every positive integer t* < t — 1. By 
Theorem 3, the authentication code has (t — l)-fold security 
against spoofing attacks. Hence, it remains to prove that 
the code also achieves perfect (t — l)-fold secrecy under 
the assumption that the encoding rules are used with equal 
probability. With respect to Lemma 3, we have to show that, 
for every t* < t — 1, a given set of t* messages occurs 
with the same frequency in each t* columns of the resulting 
encoding matrix. This can be accomplished by ordering, for 
each t* < t — 1, every block of T> in such a way that every 
t* -subset of X occurs in each possible choice in precisely 
6/( t ") blocks. Since every t*-subset of X occurs in exactly 
A t « = ("l£0 / (t-t*) blocks due to Lemma 1, necessarily (£) 
must divide At* . By Lemma 2 (b), this is equivalent to saying 
that L») divides b. To show that the condition is also sufficient, 
we consider the bipartite (<*-subset, block) incidence graph of 
T> with vertex set (l;) U B, where ({xj}' =1 , B) is an edge 
if and only if x, e B (1 < i < t*) for {xiY* =1 £ (*) and 
B G B. An ordering on each block of T> can be obtained via 
an edge-coloring of this graph using (.») colors in such a way 
that each vertex B £ B is adjacent to one edge of each color, 



and each vertex {xj}* =1 <E ( t ») is adjacent to bj (.„) edges of 
each color. Specifically, this can be done by first splitting up 
each vertex {a;i}* =1 into 6/ (.») copies, each having degree 
( t ^), and then by finding an appropriate edge-coloring of the 
resulting (.„) -regular bipartite graph using (z) colors. The 
claim follows now by taking the ordered blocks as encoding 
rules, each used with equal probability. ■ 

Remark 1: It follows from the proof that we may obtain 
optimal authentication codes that provide (t — l)-fold security 
against spoofing and at the same time perfect (t' — l)-fold 
secrecy for t' < t, when the assumption of the above theorem 
holds with divides b for every positive integer t* < t' — 1, 

As an application, we give an infinite class of optimal codes 
which are two-fold secure against spoofing and achieve perfect 
two-fold secrecy. This appears to be the first infinite class of 
authentication and secrecy codes with these properties. 

Theorem 5: For all positive integers v = 2 (mod 24), there 
is an optimal authentication code for k — 4 equiprobable 
source states, having v messages, and v(v — l)(v — 2)/24 
encoding rules, that is two-fold secure against spoofing and 
provides perfect two-fold secrecy. 

Proof: We will make use of Steiner quadruple systems 
(cf. Section II-A). Hanani [15] showed that a necessary and 
sufficient condition for the existence of a SQS(w) is that v = 2 
or 4 (mod 6) (v > 4). Hence, the condition v \ b is fulfilled 
when v = 2 or 10 (mod 24) and the condition | b when 
v = 2 (mod 12) in view Lemma 2 (b). Therefore, if we assume 
that v = 2 (mod 24), then we can apply Theorem 4 to establish 
the claim. ■ 

We present the smallest example: 

Example 1: An optimal authentication code for k = 4 
equiprobable source states, having v = 26 messages, and 
b = 650 encoding rules, that is two-fold secure against spoof- 
ing and provides perfect two-fold secrecy can be constructed 
from a Steiner quadruple system SQS(26). Each encoding rule 
is used with probability 1/650. 

Remark 2: For v = 26, the first SQS(v) was constructed by 
Fitting [16], admitting a f-cycle as an automorphism (cyclic 
SQS(u)). We generally remark that the number N(v) of 
non-isomorphic SQS(u) is only known for v — 8,10,14,16 
with N(8) = N(10) = 1, N(U) = 4, and 7V(16) = 
1,054,163 (cf. [17]). Lenz [18] proved that for the admissi- 
ble values of v, the number N(v) grows exponentially, i.e. 
liminf^oo lQg > 0. For comprehensive survey articles 
on Steiner quadruple systems, we refer the reader to [19], 
[20]. For classifications of specific classes of highly regular 
Steiner quadruple systems and Steiner designs, see, e.g., [21], 
[22]. 
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